Spring Boot 3 + Security - Change Default Password (Set Custom Credentials)
Video
This tutorial is explained in the below Youtube Video.Spring Boot 3 Security
Simple Boot3 + Security in depth understanding Simple Boot3 + Security - Disable Authentication Simple Boot3 + Security - Custom Credentials
Implement Security Configuration to create custom username and password
In previous tutorial we implemented Spring Boot 3 + Security authentication simple example. Here we had seen the internal working of Spring Security.We will be modifying this project. The maven project will be as follows-
For this tutorial let us first understand some spring security classes.
- User - In Spring Security this class stores the username and password for the spring boot application.
- UserDetailsService - This is an interface with a single method loadUserByUsername. The InMemoryUserDetailsManager implements this interface. This class has an instance of the spring security User class object. Using the InMemoryUserDetailsManager.loadUserByUsername, we can retrieve the User instance. This retrieved User instance is used during authentication. So the credentials entered by the user are compared with those of the retrieved User instance. If these match then the user is logged in successfully.
- UserDetailsServiceAutoConfiguration - When no custom credentials are provided by the user, UserDetailsServiceAutoConfiguration creates a custom Spring Security User class with default username user and generated password. This Spring Security User class is then provided to InMemoryUserDetailsManager. If the user creates its own UserDetailsService bean, then the UserDetailsServiceAutoConfiguration gets automatically disabled. In this case we pass the new created user to be used by the InMemoryUserDetailsManager.
- DaoAuthenticationProvider - This is where the comparison between the credentials entered by the user and the spring boot credentials happen.
So to use custom credentials for the spring boot application, we need to define a bean of type UserDetailsService. In previous tutorial, using spring security configuration we disabled default spring security authentication. We will create a similar configuration class named SecurityConfig. In this configuration class we will be creating an instance of UserDetailsService of type InMemoryUserDetailsService. In this UserDetailsService we will be configuring a User with custom username and password
package com.javainuse.boot3security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.formLogin();
http.authorizeHttpRequests().anyRequest().authenticated();
return http.build();
}
@Bean
UserDetailsService userDetailsService() {
InMemoryUserDetailsManager userDetailsService = new InMemoryUserDetailsManager();
UserDetails user = User.withUsername("javainuse").password("javainuse").authorities("read").build();
userDetailsService.createUser(user);
return userDetailsService;
}
}
Start the Spring Boot Application. We can see that now in the console no default password is created by the spring security library.
Enter the credentials we specified in above configuration class i.e. username and password as javainuse. We get the exception as below- java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"
Spring Security 4, allowed the storage of passwords in plain text using in-memory authentication. However from Spring Security 5 it is necessary to specify a password encoder. In a previous tutorial Spring Boot Security - Password Encoding Using BCrypt we had seen what is the need for password encoding. Next we configure a bcrypt password encoder as follows-
package com.javainuse.boot3security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SecurityConfig {
@Bean
UserDetailsService userDetailsService() {
InMemoryUserDetailsManager userDetailsService = new InMemoryUserDetailsManager();
UserDetails user = User.withUsername("javainuse").password(passwordEncoder().encode("javainuse"))
.authorities("read").build();
userDetailsService.createUser(user);
return userDetailsService;
}
@Bean
BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.formLogin();
http.authorizeHttpRequests().anyRequest().authenticated();
return http.build();
}
}
Download Source Code
Download it -Spring Boot 3 Security - Custom Credentials